Bug 1419869 - [SELinux] [Eventing]: name_bind AVC seen with udp when we do glustereventsd start
Summary: [SELinux] [Eventing]: name_bind AVC seen with udp when we do glustereventsd s...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: eventsapi
Version: rhgs-3.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Bug Updates Notification Mailing List
QA Contact: Sweta Anandpara
URL:
Whiteboard:
Depends On: 1411743
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-07 09:51 UTC by Sweta Anandpara
Modified: 2019-04-19 07:04 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Glustereventsd starts UDP server, which is denied by the SELinux policy. Consequence: In RHEL 6 machines, required SELinux policy is not present to allow starting UDP server required for glustereventsd. Workaround (if any): Set SELinux flag to fix the issue till the SELinux policy available for RHEL 6 installations. setsebool allow_ypbind on Result: Glustereventsd daemon can be started with the workaround steps mentioned above.
Clone Of:
Environment:
Last Closed: 2019-04-19 07:04:42 UTC
Embargoed:

Attachments (Terms of Use)

Description Sweta Anandpara 2017-02-07 09:51:59 UTC 
Description of problem:
========================
On RHEL6 installed with glusterfs-3.8.4-13 build, when we start glustereventsd service, it fails with a traceback even though the service is actually started (ps -ef confirms that). An avc is logged with tclass:udp_socket.
>> type=AVC msg=audit(1486457211.185:274780): avc:  denied  { name_bind } for  pid=32761 comm="python" src=24009 scontext=unconfined_u:system_r:glusterd_t:s0 >> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

Once we hit this, we are unable to stop/start glustereventsd service, as it fails with the error mentioned below:
>> [root@dhcp35-91 selinux_policy]# service glustereventsd status
>> glustereventsd dead but subsys locked

There is a boolean 'allow_ypbind' (renamed: nis_enabled) which when enabled helps us to not hit this issue. Having said that, enabling the boolean is just a work around, and BZ 1411743 has been raised by Milos Malik requesting for a fix for the same.

Marking this BZ as a dependent of BZ 1411743, so that it can be tracked from RHGS-end.


Version-Release number of selected component (if applicable):
============================================================

selinux-policy-3.7.19-292.el6_8.3
glusterfs-3.8.4-13


How reproducible:
=================
2:2


Additional info:
================
[root@dhcp35-91 selinux_policy]# service glustereventsd restart
Stopping glustereventsd:/bin/bash: line 1: 13185 Terminated              /usr/sbin/glustereventsd --pid-file=/var/run/glustereventsd.pid
                                                           [  OK  ]
Starting glustereventsd:
Failed to start Eventsd: [Errno 13] Permission denied
[root@dhcp35-91 selinux_policy]# 
[root@dhcp35-91 selinux_policy]# service glustereventsd status
glustereventsd dead but subsys locked
[root@dhcp35-91 selinux_policy]# vim /var/log/audit/audit.log
[root@dhcp35-91 selinux_policy]# ausearch -m avc -m selinux_err -i -ts recent
----
type=SYSCALL msg=audit(02/07/2017 14:16:51.185:274780) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x7 a1=0x7ffef992c880 a2=0x10 a3=0x7 items=0 ppid=32760 pid=32761 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=18497 comm=python exe=/usr/bin/python subj=unconfined_u:system_r:glusterd_t:s0 key=(null) 
type=AVC msg=audit(02/07/2017 14:16:51.185:274780) : avc:  denied  { name_bind } for  pid=32761 comm=python src=24009 scontext=unconfined_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket 
[root@dhcp35-91 selinux_policy]#
[root@dhcp35-91 selinux_policy]#
[root@dhcp35-91 selinux_policy]# ps -ef | grep glustereventsd
root      1831  6077  0 14:28 pts/0    00:00:00 grep glustereventsd
root     13186     1  0 11:54 pts/0    00:00:00 python /usr/sbin/glustereventsd --pid-file=/var/run/glustereventsd.pid
root     32757     1  0 14:16 pts/0    00:00:00 /bin/bash /etc/init.d/glustereventsd restart
root     32760 32757  0 14:16 pts/0    00:00:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/glustereventsd --pid-file=/var/run/glustereventsd.pid
root     32761 32760  0 14:16 pts/0    00:00:00 python /usr/sbin/glustereventsd --pid-file=/var/run/glustereventsd.pid
root     32762 32761  0 14:16 pts/0    00:00:00 python /usr/sbin/glustereventsd --pid-file=/var/run/glustereventsd.pid
[root@dhcp35-91 selinux_policy]#
[root@dhcp35-91 selinux_policy]# gluster-eventsapi status
Webhooks: None

+-------------+-------------+-----------------------+
|     NODE    | NODE STATUS | GLUSTEREVENTSD STATUS |
+-------------+-------------+-----------------------+
| 10.70.35.83 |          UP |                    OK |
| 10.70.35.92 |          UP |                    OK |
|  localhost  |          UP |                    OK |
+-------------+-------------+-----------------------+
[root@dhcp35-91 selinux_policy]# gluster-eventsapi webhook-test http://10.70.35.109:9000/listen
+-------------+-------------+----------------+
|     NODE    | NODE STATUS | WEBHOOK STATUS |
+-------------+-------------+----------------+
| 10.70.35.83 |          UP |             OK |
| 10.70.35.92 |          UP |             OK |
|  localhost  |          UP |             OK |
+-------------+-------------+----------------+
[root@dhcp35-91 selinux_policy]# gluster-eventsapi webhook-add http://10.70.35.109:9000/listen
+-------------+-------------+-------------+
|     NODE    | NODE STATUS | SYNC STATUS |
+-------------+-------------+-------------+
| 10.70.35.83 |          UP |          OK |
| 10.70.35.92 |          UP |          OK |
|  localhost  |          UP |          OK |
+-------------+-------------+-------------+
[root@dhcp35-91 selinux_policy]# 

[root@dhcp35-91 selinux_policy]# getsebool allow_ypbind
allow_ypbind --> off
[root@dhcp35-91 selinux_policy]# setsebool allow_ypbind on
[root@dhcp35-91 selinux_policy]# getsebool allow_ypbind
allow_ypbind --> on
[root@dhcp35-91 selinux_policy]# 
[root@dhcp35-91 ~]# service glustereventsd status
glustereventsd dead but subsys locked
[root@dhcp35-91 ~]# service glustereventsd start
Starting glustereventsd:
[root@dhcp35-91 ~]# service glustereventsd status
glustereventsd (pid  5905) is running...
[root@dhcp35-91 ~]# service glustereventsd stop
Stopping glustereventsd:/bin/bash: line 1:  5905 Terminated              /usr/sbin/glustereventsd --pid-file=/var/run/glustereventsd.pid
                                                           [  OK  ]
[root@dhcp35-91 ~]# service glustereventsd status
glustereventsd is stopped
[root@dhcp35-91 ~]# 
[root@dhcp35-91 ~]# ps -ef | grep glustereventsd
root      5906     1  0 14:58 pts/0    00:00:00 python /usr/sbin/glustereventsd --pid-file=/var/run/glustereventsd.pid
root      5980  6077  0 14:58 pts/0    00:00:00 grep glustereventsd
[root@dhcp35-91 ~]# service glustereventsd start
Starting glustereventsd:
[root@dhcp35-91 ~]# service glustereventsd status
glustereventsd (pid  6003) is running...
[root@dhcp35-91 ~]#
Comment 3 Sweta Anandpara 2017-03-09 09:19:25 UTC 
Do we really need this documented if we are not going to mention anything about Eventing in our guides? 
In other words, if we are not letting anyone know that there is a service like 'glustereventsd', then no one will try to enable it.. and if no one tries, no one will really hit this issue.. why simply advertise it?
Note You need to log in before you can comment on or make changes to this bug.